FNB website exposed private information

[MagicDude4Eva]

I disagree.. I think passing the buck to their vendors is complete and utterly disingenuous because the vendors will develop stuff according to spec.

When working with vendors, you either work with industry specific player (eg. Financial or telecoms systems expert vendor) or a general vendor. Since this is not exactly a financial specific application I reckon maybe, if it wasn't in house dev then it was a general IT vendor.

While secure code/practices are things that must be done.. People tend to be lax/lack experience when they do not work with sensitive data (non-financial) and then the ownership & risk needs to be addressed on the client side. So whatever before might be guilty.. But the proper person to hound is the it product owner on FNB side who approved it.

Ps. This usually happens when u use multiple vendors and/or in house ones who have not done thorough training on secure coding. To claim is BEE related is short sighted.. It's training issue as well as product owner responsibility and client to verify its compliance to security standards.

I completely disagree with your statement. When vendors charge upwards of R800/p.h. for a developer and R1500-R2000/p.h. for project managers and architects it is the expectation that best practises are followed. Every single security issue (CoJ, Sanral, FNB) was due to insecure direct object reference (i.e. you could not be bothered to check if the user accessing the information is entitled to). This is one of the most basic aspects in programming and if I had outsourced development to an IT vendor I would expect this.

In South Africa I have yet to see any company I worked with to conduct penetration testing (this is only done to "tick off" some compliance aspect). Most banks and large corporates rely on contract staff who sit on premise and develop. I am not sure how it is now, but during my time at FNB and SBSA over 50% of IT staff was contracted (same can be said about telcos).

Companies like FNB have risk & governance departments as well as enterprise architecture teams which have procedures and policies to define how enterprise security should be implemented and you will find that a number of people did not do their job. It is excusable that errors occur, but it is not acceptable that the bank has not acted for month on this issue.